My coworker (btw, I am a Systems Security Engineer for the govt (CISSP), and have been doing security for decades) started up Wireshark, and then D3.. he was telling me how easy it was to hijack his session..the session ID floating around out there.. and then we got into the 2 step process it took to reverse engineer his authenticator.
Yeah, a friend of mine mentioned their use of unencrypted session IDs on the forums and they won't comment. Battle.net went down for maintenance later on as well which is amusing timing. I'd also note this same problem happened with Rift at launch but at least the devs owned up to it and fixed things quickly. This will likely just be handwaved away under the predictable guise of "ppl r stupid with computars!" which may be true but doesn't really answer every single case of this.
The other thing is that Battle.net accounts are very lucrative to hack. They are worth $25-50 a pop on the "black market", pose no risk of prosecution and are highly in demand. The idea that Blizzard is some unhackable entity just by virtue of being a profitable corporation is laughable. Quite often it's those same institutions which view IT/IS as money black holes and don't invest enough in them.